LinuxCommandLibrary

debsecan

Scan Debian packages for security vulnerabilities

TLDR

List vulnerable installed packages on the current host

$ debsecan
copy

List vulnerable installed packages of a specific suite
$ debsecan --suite [release_code_name]
copy

List only fixed vulnerabilities
$ debsecan --suite [release_code_name] --only-fixed
copy

List only fixed vulnerabilities of unstable ("sid") and mail to root
$ debsecan --suite [sid] --only-fixed --format [report] --mailto [root] --update-history
copy

Upgrade vulnerable installed packages
$ sudo apt upgrade $(debsecan --only-fixed --format [packages])
copy

SYNOPSIS

debsecan [OPTION]…

PARAMETERS

-h, --help
    Show help message and exit

-q, --quiet
    Suppress non-essential output

-v, --verbose
    Increase verbosity

-V, --version
    Display version information

-f FORMAT, --format=FORMAT
    Output format: text, conky, csv, email, html

-s SUITE, --suite=SUITE
    Check suite: stable, testing, unstable, all (default: all)

--email-to EMAIL
    Send report to EMAIL (implies email format)

--email-from EMAIL
    Set From header for email

--cron
    Cron-friendly: quiet with logging

--apply
    Automatically upgrade security updates (use cautiously)

--summary
    Print only summary of updates

--list-bugs
    List associated bugs for CVEs

DESCRIPTION

debsecan is a security auditing tool designed for Debian-based Linux distributions. It checks the locally installed packages against the Debian security repository to identify available security updates. By fetching metadata from security.debian.org, debsecan compares package versions and vulnerabilities, reporting any discrepancies that could expose the system to known exploits.

The tool supports multiple output formats, making it suitable for manual checks, cron jobs, or email notifications. It categorizes updates by severity (e.g., high, medium) and suite (stable, testing, unstable), allowing users to focus on critical patches. While primarily for Debian, it works on derivatives like Ubuntu with minor adjustments.

debsecan promotes proactive security maintenance without requiring full system upgrades, helping administrators stay compliant with security best practices. It integrates well with automated update systems but warns against blind application of patches due to potential regressions.

CAVEATS

Requires debsecan package installed; works best on pure Debian. --apply can cause breakage—test first. Needs internet for metadata fetch. Not for non-Debian distros without adaptation.

EXAMPLES

debsecan --suite stable — Check stable suite.
debsecan --format csv --cron — Cron-compatible CSV output.
debsecan --email-to admin@example.com — Email report.

OUTPUT INTERPRETATION

Reports show package name, old/new version, CVE IDs, urgency (high/low). Zero updates if system is current.

HISTORY

Developed by Martin Pitt in 2006 for Debian. Maintained in Debian repos; versions track distro suites. Widely used in servers for automated security checks.

SEE ALSO

apt-listbugs(1), unattended-upgrades(8), apt-get(8)

Copied to clipboard